Arctic Wolf Labs documented active exploitation of CVE-2026-35616, an improper access control vulnerability in Fortinet's FortiClient EMS that allows unauthenticated attackers to bypass API authentication and gain privileged access. Threat actors leveraged the management platform's own VPN scripting functionality (on_connect directives) to push malicious PowerShell commands fleet-wide to managed endpoints. The payload, disguised as a legitimate Fortinet patch named FortiEndpoint_Patch.exe, is a previously unreported credential stealer dubbed EKZ Infostealer. It extracts credentials, cookies, and autofill data from Chromium and Firefox-family browsers — including bypassing Chrome's app-bound encryption via the IElevator::DecryptData API — then exfiltrates results via HTTP POST to a threat-actor-controlled VPS. Detection guidance covers EMS log anomalies, suspicious PowerShell process trees spawned by fortitray.exe, and network indicators tied to 83.138.53.110.
Table of contents
SummaryBackgroundWhat We Know About the CampaignConclusionDetection GuidanceAppendixSort: